diff options
| author | claireho <chinglanho@gmail.com> | 2011-09-15 16:27:01 -0700 |
|---|---|---|
| committer | claireho <chinglanho@gmail.com> | 2011-09-15 16:27:01 -0700 |
| commit | 0fa67b93b831c6636ca18b152a1b1b14cc99b034 (patch) | |
| tree | db802af6d2e60d0d4db577e9b19c997339dd91d0 | |
| parent | 3ef011cb2ded20c46f764e284c6a10f49a9923f8 (diff) | |
| download | icu4c-ics-plus-aosp.tar.gz | |
Fixed read/use of uninitialized memory in RegexMatcher::MatchChunkAt().android-sdk-adt_r20android-sdk-adt_r16.0.1android-sdk-4.0.3_r1android-sdk-4.0.3-tools_r1android-cts-verifier-4.0_r1android-cts-verifier-4.0.3_r1android-cts-4.0_r1android-cts-4.0.3_r2android-cts-4.0.3_r1android-4.0.4_r2.1android-4.0.4_r2android-4.0.4_r1.2android-4.0.4_r1.1android-4.0.4_r1android-4.0.3_r1.1android-4.0.3_r1android-4.0.2_r1android-4.0.1_r1.2android-4.0.1_r1.1android-4.0.1_r1tools_r20ics-plus-aospics-mr1-releaseics-mr1ics-mr0-releaseics-mr0ics-factoryrom-2-release
Bug 5326905.
1. Andy reviewed this Android patch.
2. Ran through all tests under libcore/luni/src/test/java/org/apache/harmony/regex/tests/java/util/regex/
wo new failures.
Change-Id: Ifa4c48b62a57b8ea19d332eefc99444ea1b6b910
| -rw-r--r-- | i18n/rematch.cpp | 58 |
1 files changed, 35 insertions, 23 deletions
diff --git a/i18n/rematch.cpp b/i18n/rematch.cpp index bb6964b1..f8085766 100644 --- a/i18n/rematch.cpp +++ b/i18n/rematch.cpp @@ -5621,46 +5621,57 @@ GC_Done: { int32_t stringStartIdx, stringLen; stringStartIdx = opValue; - + op = (int32_t)pat[fp->fPatIdx]; fp->fPatIdx++; opType = URX_TYPE(op); opValue = URX_VAL(op); U_ASSERT(opType == URX_STRING_LEN); stringLen = opValue; - + const UChar *patternChars = litText+stringStartIdx; const UChar *patternEnd = patternChars+stringLen; - + const UChar *foldChars = NULL; int32_t foldOffset, foldLength; UChar32 c; - + // BEGIN android-changed + // For ICU ticket#8824 + UBool c_is_valid = FALSE; + #ifdef REGEX_SMART_BACKTRACKING int32_t originalInputIdx = fp->fInputIdx; #endif UBool success = TRUE; - + foldOffset = foldLength = 0; while (patternChars < patternEnd && success) { - if(foldOffset < foldLength) { - U16_NEXT_UNSAFE(foldChars, foldOffset, c); - } else { - U16_NEXT(inputBuf, fp->fInputIdx, fActiveLimit, c); - foldLength = ucase_toFullFolding(csp, c, &foldChars, U_FOLD_CASE_DEFAULT); - if(foldLength >= 0) { - if(foldLength <= UCASE_MAX_STRING_LENGTH) { // !!!: Does not correctly handle chars that fold to 0-length strings - foldOffset = 0; - U16_NEXT_UNSAFE(foldChars, foldOffset, c); - } else { - c = foldLength; - foldLength = foldOffset; // to avoid reading chars from the folding buffer + if (fp->fInputIdx < fActiveLimit) { // don't read past end of string + if(foldOffset < foldLength) { + U16_NEXT_UNSAFE(foldChars, foldOffset, c); + c_is_valid = TRUE; + } else { + // test pre-condition of U16_NEXT: i < length + U_ASSERT(fp->fInputIdx < fActiveLimit); + U16_NEXT(inputBuf, fp->fInputIdx, fActiveLimit, c); + c_is_valid = TRUE; + foldLength = ucase_toFullFolding(csp, c, &foldChars, U_FOLD_CASE_DEFAULT); + if(foldLength >= 0) { + if(foldLength <= UCASE_MAX_STRING_LENGTH) { // !!!: Does not correctly handle chars that fold to 0-length strings + foldOffset = 0; + U16_NEXT_UNSAFE(foldChars, foldOffset, c); + } else { + c = foldLength; + foldLength = foldOffset; // to avoid reading chars from the folding buffer + } } } + } else { + c_is_valid = FALSE; } - - if (fp->fInputIdx <= fActiveLimit) { + + if (fp->fInputIdx <= fActiveLimit && c_is_valid) { if (U_IS_BMP(c)) { success = (*patternChars == c); patternChars += 1; @@ -5673,7 +5684,8 @@ GC_Done: fHitEnd = TRUE; // TODO: See ticket 6074 } } - + // END android-changed + if (!success) { #ifdef REGEX_SMART_BACKTRACKING if (fp->fInputIdx > backSearchIndex && fStack->size()) { @@ -5682,7 +5694,7 @@ GC_Done: // Reset to last start point int64_t reverseIndex = originalInputIdx; patternChars = litText+stringStartIdx; - + // Search backwards for a possible start do { U16_PREV(inputBuf, backSearchIndex, reverseIndex, c); @@ -5696,14 +5708,14 @@ GC_Done: foldLength = foldOffset; // to avoid reading chars from the folding buffer } } - + if ((U_IS_BMP(c) && *patternChars == c) || (*patternChars == U16_LEAD(c) && *(patternChars+1) == U16_TRAIL(c))) { success = TRUE; break; } } while (reverseIndex > backSearchIndex); - + // And try again if (success) { fp = (REStackFrame *)fStack->popFrame(fFrameSize); |